15915 – Service named don't start after upgrade 4.22.x to 4.23

Bug 15915 - Service named don't start after upgrade 4.22.x to 4.23

Summary: Service named don't start after upgrade 4.22.x to 4.23

Status:	RESOLVED DUPLICATE of bug 15920

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DNS plugin (BIND DLZ) (show other bugs)
Version:	4.23.0
Hardware:	x64 Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Amitay Isaacs
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-09-12 16:51 UTC by bkammers
Modified:	2025-09-20 00:50 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
possibly related patch (1.25 KB, patch) 2025-09-16 21:42 UTC, Douglas Bagnall	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description bkammers 2025-09-12 16:51:52 UTC

Hi,

I've upgrade my lab test with 4.22.x to 4.23 and service named don't start anymore.

My system: Debian 12 (amd64) + Samba4 AD Role compiled from source + Bind9.



I see these entries in syslog:

dlz_dlopen failed to open library '/opt/samba/lib/bind9/dlz_bind9_18.so': libsamba-errors.so.1: cannot open shared object file: No such file or directory


kernel: [ 1628.881713] audit: type=1400 audit(1757693431.716:44): apparmor="DENIED" operation="open" profile="named" name="/opt/samba/lib64/libsamba-errors.so.1.0.0" pid=1989 comm="isc-net-0000" requested_mask="r" denied_mask="r" fsuid=104 ouid=0



But, file exists:

root@dc01:~# ls /opt/samba/lib/bind9/
dlz_bind9_10.so  dlz_bind9_11.so  dlz_bind9_12.so  dlz_bind9_14.so  dlz_bind9_16.so  dlz_bind9_18.so



And i put /opt/samba/lib64/** r, in named apparmmor profile, but, don't fix.

Comment 1 bkammers 2025-09-16 10:48:42 UTC

Found in syslog:

2025-09-16T07:44:01.238972-03:00 dc01 named[1048]: Loading 'AD DNS Zone' using driver dlopen

2025-09-16T07:44:01.238997-03:00 dc01 named[1048]: dlz_dlopen failed to open library '/opt/samba/lib/bind9/dlz_bind9_18.so': libsamba-errors.so.1: failed to map segment from shared object

2025-09-16T07:44:01.239018-03:00 dc01 named[1048]: dlz_dlopen of 'AD DNS Zone' failed

Comment 2 Douglas Bagnall 2025-09-16 21:42:13 UTC

Created attachment 18728 [details]
possibly related patch

The only change in the dlz code is 3c53430eed4fb7f1b5975908495c03947065749b, and it looks to me like it uses the wrong state variable.

I can't see exactly how it causes this (given the first file exists) but maybe this helps?

Can you show the permissions?

ls -l /opt/samba/lib/bind9/

and I am guessing 

ls -l /opt/samba/private/dns

Comment 3 bkammers 2025-09-16 22:05:38 UTC

Results:

root@dc01:~# ls -l /opt/samba/lib/bind9
total 432
-rwxr-xr-x 1 root root 69656 set 12 11:57 dlz_bind9_10.so
-rwxr-xr-x 1 root root 69656 set 12 11:57 dlz_bind9_11.so
-rwxr-xr-x 1 root root 69656 set 12 11:57 dlz_bind9_12.so
-rwxr-xr-x 1 root root 69656 set 12 11:57 dlz_bind9_14.so
-rwxr-xr-x 1 root root 69656 set 12 11:57 dlz_bind9_16.so
-rwxr-xr-x 1 root root 69656 set 12 11:57 dlz_bind9_18.so



root@dc01:~# ls -l /opt/samba/private/
total 11712
-rw-r----- 2 root bind     460 out 19  2024 dns.keytab
-rw------- 1 root root    1742 out 19  2024 dns_update_cache
-rw-r--r-- 1 root root    3663 out 19  2024 dns_update_list
-rw------- 1 root root      16 out 19  2024 encrypted_secrets.key
-rw------- 1 root root 1286144 out 19  2024 hklm.ldb
-rw------- 1 root root 1609728 out 20  2024 idmap.ldb
lrwxrwxrwx 1 root root      14 out 19  2024 krb5.conf -> /etc/krb5.conf
srwxrwxrwx 1 root root       0 set 16 19:02 ldapi
drwxr-x--- 2 root root    4096 set 16 19:02 ldap_priv
drwx------ 2 root root    4096 set 16 19:02 msg.sock
-rw------- 1 root root    8888 set 16 19:01 netlogon_creds_cli.tdb
-rw------- 1 root root 1286144 out 19  2024 privilege.ldb
-rw------- 1 root root 4739072 out 19  2024 sam.ldb
drwx------ 2 root root    4096 out 19  2024 sam.ldb.d
-rw------- 1 root root     696 set 16 19:01 schannel_store.tdb
-rw------- 1 root root     671 out 19  2024 secrets.keytab
-rw------- 1 root root 1286144 out 19  2024 secrets.ldb
-rw------- 1 root root  430080 out 19  2024 secrets.tdb
-rw------- 1 root root 1286144 out 19  2024 share.ldb
drwxr-xr-x 2 root root    4096 set 16 07:44 smbd.tmp
-rw-r--r-- 1 root root     955 out 19  2024 spn_update_list
drwxr-xr-x 2 root root    4096 out 19  2024 tls

Comment 4 bkammers 2025-09-16 22:08:05 UTC

Plus:

root@dc01:~# ls -l /opt/samba/bind-dns/
total 16
drwxrwx--- 3 root bind 4096 out 19  2024 dns
-rw-r----- 2 root bind  460 out 19  2024 dns.keytab
-rw-r--r-- 1 root root 1054 out 19  2024 named.conf
-rw-r--r-- 1 root root 2044 out 19  2024 named.txt

Comment 5 Douglas Bagnall 2025-09-16 22:15:56 UTC

Thanks. I think it is probably not the issue, but you could try recompiling with the attached patch to see if it changes anything.

Comment 6 Douglas Bagnall 2025-09-16 22:31:26 UTC

(In reply to Douglas Bagnall from comment #5)

> Thanks. I think it is probably not the issue

Actually I think it is definitely *part* of the issue. Please try with the patch!


You put 

/opt/samba/lib64/** r

in the apparmor profile, but the files are in

/opt/samba/lib/  

(without the 64). Does that make any difference?

Comment 7 bkammers 2025-09-17 11:15:24 UTC

This patch won't fix issue.

Compiled with patch and adjusts on apparmmor profile, but, get some errors in syslog.


Error changed from "No such file or directory" to "failed to map segment from shared object
"


2025-09-17T08:09:47.997451-03:00 dc01 named[35088]: dlz_dlopen failed to open library '/opt/samba/lib/bind9/dlz_bind9_18.so': libsamba-errors.so.1: failed to map segment from shared object


2025-09-17T08:09:47.998127-03:00 dc01 kernel: [ 1346.402899] audit: type=1400 audit(1758107387.992:52): apparmor="DENIED" operation="file_mmap" profile="named" name="/opt/samba/lib64/libsamba-errors.so.1.0.0" pid=35088 comm="isc-net-0000" requested_mask="m" denied_mask="m" fsuid=104 ouid=0




In named apparmmor profile, i put this only for tests (but receive denied):

/opt/samba/** r

Comment 8 bkammers 2025-09-17 11:25:54 UTC

I fixed issue...

Don't know if patch make diference, but i only need to add "m" mask into named apparmor profile:


/opt/samba/lib64/** rm,


After this, named service start and running...


Its possible to patch source to add this fix to apparmor profile automatic?




But, strange log. I think apparmor entry should be above dlz_dlopen entry and not after...

Comment 9 Douglas Bagnall 2025-09-17 20:47:08 UTC

There were two problems.

One is the bug that made it crash instead of printing the message then stop.

The other is the apparmor problem.

https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration says:

   /usr/local/samba/lib/** rm,
   /usr/local/samba/private/dns.keytab rk,
   /usr/local/samba/private/named.conf r,
   /usr/local/samba/private/dns/** rwk,
   /usr/local/samba/etc/smb.conf r

which I think is out of date (the */private/* ones are no longer used).

> Its possible to patch source to add this fix to apparmor profile automatic?

Probably not, but it could make suggestions I suppose. 

> But, strange log. I think apparmor entry should be above dlz_dlopen entry and not after...

This is a race between two different processes, so we can't control that.

Comment 10 bkammers 2025-09-17 20:59:55 UTC

Thanks.

The fix for this issue is:


Create or edit a custom named profile in apparmor:

vim /etc/apparmor.d/local/usr.sbin.named


With this:

/opt/samba/lib/** rm,
/opt/samba/lib64/** rm,
/opt/samba/bind-dns/dns.keytab rk,
/opt/samba/bind-dns/named.conf r,
/opt/samba/bind-dns/dns/** rwk,
/opt/samba/etc/smb.conf r,



CHANGE PREFIX /opt for your location.

Then, restart your apparmor service.

Comment 11 Douglas Bagnall 2025-09-20 00:50:04 UTC


*** This bug has been marked as a duplicate of bug 15920 ***